9

Why do so many Android developers use Google Play to distribute apps instead of (or in addition to) simply putting the APK on their secure website along with a checksum or signature of it?

Geremia
  • 1,636
  • 3
  • 19
  • 33
  • 1
    I think it is matter of convenience and acceptance. Consumer used to search on Google Play, read reviews and get some level of trust. For a producer it's a simple way to promote the app. – VovCA May 20 '17 at 20:04
  • @VovCA I simply don't understand why so many developers are opposed to distributing APKs in addition to distributing them on Google Play. They argue it is more secure to distribute them on Google Play only. Why? – Geremia May 20 '17 at 20:31
  • 2
    It's more secure for users because Google can, will, and has removed malicious software from Google Play. It's more secure for developers because they don't have to worry about implementing their own anti-piracy measures. – Stephen Touset May 20 '17 at 20:38
  • Is your intent asking whether it is secure to trust Play Store will not alter your APK's payload to distribute badware to Android users? What is the threat model you are talking about? – usr-local-ΕΨΗΕΛΩΝ Jul 25 '18 at 20:09

4 Answers4

6

One of the best security practices is keeping your software up to date. With the Google Play Store, you can set your installed apps to update automatically (if this isn't already set by default).

To keep manually downloaded apps up to date, you would have to download their APKs every time their developers publish a new version. To do this, you would probably have to subscribe to a newsletter or RSS feed, and check your email/RSS reader regularly for updates. This might be an acceptable setup for a couple of apps, but this will become troublesome as the number of your apps increases. Not to mention, you'll probably have to check the signatures/checksums of the apps one by one to verify their integrity.

Terrance Tambling-Goggin Orz
  • 61
  • 1
5

First and foremost, publishing an APK on your website encourages bad security practices on the user's part. In my opinion you should be encouraging the average user to trust only the Google Play Store for the following reasons:

  • Downloading APK's from a website requires the user to confirm the source is secure and legitimate, or test the APK to make sure it's safe. In practice, many users just rely on Google Play Protect to catch malicious apps and risk getting infected with trojans like Googlian or this fake Google Chrome
  • Not using the Google Play store makes it harder to keep apps up to date. If a security bug is found in your code, or a shared library needs a security patch, how are you going to make sure all users know about the update? Side-loaded apps don't update in the Play Store. Providing a notification to the user and especially forcing them to update isn't simple either.
  • Side-loading, or installing apps from sources other than Google Play, requires changing your security settings to enable side-loading. This opens up users to accidentally side-loading malware if they aren't careful, including through other channels like malvertising. In Android Oreo this permission is a little more complex, but you can still open up users to side-loading through malvertising.

Second, your website is presumably less secure than Google's app store. If an attacker compromises your website (or redirects users to their servers by using a MITM or DNS poisoning attack) they could trick users into installing a compromised version of the APK. Posting the hash of the APK or your developer signature won't help here since they could change that part of the website as well (checksums offer very limited security protection, and signatures are mostly for developer authentication and nonrepudiation). Depending on how secure your website is, this may not be a large and realistic threat. Typically, compromised sites instead not-so-subtly encourage downloading generic malware apps under the guise of Adobe flash, a browser update, etc (like this example).

Third, your website could be phished or spoofed. Hackers have been known to make banking websites that look legitimate, post links to them or SEO-optimize them, and plant fake banking apps with malware on the spoofed site (source) . This goes along with my earlier point that you should be encouraging your average user to trust only the Google Play store.

Note: I intentionally focused on the security issues at play here, rather than the significant usability and convenience issues.

Edit: this answer is no longer correct thanks to the replacement of Google Bouncer with Android Play Protect

Cody P
  • 1,148
  • 6
  • 14
4

When you use Google Play to distribute your app, you declare that you comply with Google's Content Policy, which means that the app is safer for the end users in many ways, including some security restrictions. The end users know that Google screens all apps that are uploaded to the Play Store, and methodically removes ones that don't follow the rules, or simply misbehave.

On Play Store, the users can reliably check the permissions your app is going to request, and see other user's complaints, not filtered by your PR.

To use your independent distribution channel, they must reach the "enable Unknown sources" toggle which is placed in "Security Settings" section. It is dangerous to leave this toggle enabled, because some malware uses this channel of distribution, too.

The App Security Improvement Program can help an indie developer, too, to avoid some risks, e.g. it will warn the dev if some deprecated library or unsafe implementation is detected.

It is important to understand, though, that using Play Store does not make your app less vulnerable for piracy, it still can be stolen, reverse engineered, and even uploaded to the same Play Store by a malicious party under a different name.

UPDATE: here are some security restrictions imposed by Google Play developer policies:

The following are explicitly prohibited:

  • Viruses, trojan horses, malware, spyware or any other malicious software.
  • Apps that link to or facilitate the distribution or installation of malicious software.
  • Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play.
  • Apps that introduce or exploit security vulnerabilities.
  • Apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information.
  • Apps that install other apps on a device without the user’s prior consent.
  • Apps designed to secretly collect device usage, such as commercial spyware apps.
Alex Cohn
  • 823
  • 5
  • 7
  • Since the play store rules allow spyware, the benefit is rather limited. – CodesInChaos May 21 '17 at 15:27
  • 2
    To add to that: play store handles the signing and verifying of the signatures of your binaries. Something that is impossible to achieve as good and with so less impact on usability when distributing binaries yourself. In most cases, the root CA of the play store is distributed by the device manufacturer; it doesnt get much more secure (except for government organized suveillance; but thats a whole other story). – marstato May 26 '17 at 00:39
  • This does not says anything about disadvantages of providing apk in addition to putting that apk on playstore. – yyy May 26 '17 at 06:12
  • The major disadvantages of providing direct link to APK are not security, but when an indie developer has to take of all these issues, this may reduce security – Alex Cohn May 26 '17 at 11:25
  • @Alex Cohn: This is a problem, if developer does not have a website, but if website is available, then process of providing apk would be just just uploading the file there. What additional issues could be there? – yyy May 26 '17 at 12:42
  • No, a generic web site is not enough. As other answers emphasize here, the infrastructure for secure app updates is a big deal. Also, it may be a pain to add alternative in-app purchases system. – Alex Cohn May 26 '17 at 15:11
  • Good answer. Is there any evidence that Google does automated scanning to enforce those rules, or do they rely on people manually reporting suspicious apps? – Mike Ounsworth Jul 25 '18 at 21:17
  • @mikeounsworth [Google confirmed that for the last few months they've been using automated scans, as well as manual checks performed by humans when it comes to screening apps submitted to Google Play](https://www.csoonline.com/article/2901520/application-security/googles-screening-process-could-help-mitigate-new-android-vulnerability.html) – Alex Cohn Jul 26 '18 at 14:45
  • @AlexCohn That article talks about a scanning for a very specific thing, not the whole list. That list is so broadly worded that I'm skeptical that it's even possible to scan for "Apps designed to secretly collect device usage" or "Apps that mimic other apps or websites". Like, those sound good on paper, but _how_ are they actually enforcing it? – Mike Ounsworth Jul 26 '18 at 14:54
  • You are absolutely right, not all the rules are equally verifiable. On the other hand, some restrictions that can't be detected with static analysis, are revealed in live monitoring. Unexpected pattern of use of data, battery, or other animals behaviour will trigger a deeper investigation. – Alex Cohn Jul 26 '18 at 20:54
-1

Security and many other reasons as people said in comments could be, but don't forget the real power of Google Play:

I think the main reason is on Google Play you can hit many more people. Is an easy and quick way to reach more users trying to make your app more known.

Siracuso
  • 91
  • 1
  • 11